Employers must prepare themselves for the May 25, 2018 introduction of the General Data Protection Regulation (GDPR) which will have a potentially significant impact across organisations, and particularly for fleets.
GDPR builds on existing data protection legislation with a particular focus on digitalisation and technology. Core to the 1998 Data Protection Act are eight data protection “principles” and GDPR reforms those and introduces new “principles” of transparency and accountability with the ability to “prove consent” a significant pillar of the new regulations.
Supporters of ‘big data’ point to benefits that include reduced fleet vehicle downtime, safety and duty of care improvements and the early detection of faults and wear and tear before components ‘break’ thus reducing fleet service, maintenance and repair costs so aiding improved budgeting
Vehicle generated data can, according to the Society of Motor Manufacturers and Traders (SMMT), be divided into three distinct types:
- Non-brand differentiated – data that does not identify a vehicle or person. Examples include: activation of hazard warning lights, position of active emergency vehicles, road conditions, roadblocks and traffic flow data.
- Brand differentiated – data that is differentiated by vehicle manufacturer and, while anonymised, is used for brand-specific applications and support services for a vehicle. Examples include: lane marking perception, proprietary sensor data, engine operating map, gearbox operating map, engine injection behaviour, fuel pump performance, automatic transmission shifting behaviour, fault memory data, battery performance and stability control data.
- Personal data – data that supports services requiring user or vehicle identification so data handling must meet strict data and privacy protection requirements. Examples include: vehicle location, movement profile, average speed, acceleration, fuel and consumption levels, where they are combined with the Vehicle Identification Number (VIN) or some personal identifiers; navigation destinations, the user’s address book, personalised access to third-party services, infotainment settings, personalised in-car settings, and user’s health and wellbeing data.
However, the SMMT warns that “Type 1 and Type 2 data can easily become Type 3 personal data” the moment data is tied to a personal identifier, such as but not limited to the VIN. For example, it may be relevant for vehicle manufacturers to identify the registered keeper of a vehicle – or the driver – that has a fuel pump showing signs of a fault or an imminent breakdown so as to alert them to take the necessary action, in which case data protection regulations apply.”
It seems the advent of ‘big data’ and connected vehicles could fundamentally change the relationship between motor manufacturers, the vehicle leasing and fleet management industry, fleet decision-makers and company car drivers.
Motor manufacturers say they only use or share personal vehicle user data with the express and prior consent of that person and not the vehicle’s registered keeper. That is unless manufacturers have entered into a specific legal agreement with each registered keeper and/or have a contractual obligation to do so.
Therefore, by default, it seems that vehicle manufacturers are arguing that they do not have an obligation to provide vehicle data to registered keepers, which would include leasing companies and businesses that outright purchase their fleet vehicles.
That potentially means that data handling for fleets could get complex with vehicle manufacturers saying the primary user of a vehicle – the individual registering for the connected vehicle services and agreeing to the terms and conditions associated with them – must be put at the heart of any data consent process.
The Information Commissioner’s Office (ICO), which is responsible for enforcement of the law and is currently consulting on aspects of GDPR, has already undertaken some initial work with organisations, which include the Society of Motor Manufacturers and Traders (SMMT) and the British Vehicle Rental and Leasing Association (BVRLA) “in order to develop its understanding of the data protection and privacy risks arising from the deployment of connected and autonomous vehicle technology”.
An ICO spokeswoman said: “This provided some insight, but more information is needed on the types and uses of personal data processed when such vehicles are used, the way in which privacy notices are provided to people, and the level of control drivers and users have over connected services.
“As a result, the ICO plans further engagement with stakeholders to consider data protection issues related to connected and autonomous vehicles.”
The ICO in its response to a House of Lords Select Committee on Science and Technology’s call for evidence said: “There is a need to consider the volume and nature of the data that vehicles may generate and to adopt appropriate safeguards against misuse of individuals’ data.
“Personal data processed via connected and autonomous systems may include geolocation data, telematics, driver/user settings and collision information. There is also potential for data, which may initially be regarded as purely technical in nature, such as safety system information on the number of persons occupying a vehicle, to become personal data if it can be linked to a particular individual or individuals.”
Alex Ktorides, head of ethics and risk and a partner at law firm Gordon Dadds, told a recent fleet industry ‘big data’ conference: “‘Big data’ is all about having an ethical approach and that means transparency. Connected cars will generate huge amounts of data and the question is what happens to that data. It is crucial to make sure it is being ethically handled.
Calling GDPR a “big sea-change”, Mr Ktorides said with regards to connected cars and ‘big data’: “Some of the information will relate to employees and their behaviour so employers need to consider being completely transparent and hatch an ethical and transparent plan. Fleets need to plan how they will use that information and tell their employees.
“Businesses must be clear about what data they are gathering and why, where it is going and how it is being used and gain people’s consent.”
That, said Mr Ktorides, meant updating contracts of employment, employee terms and conditions and codes of conduct and he suggested anonymising data was a “very effective tool”.
He said: “If information is personal and identifies who a person is and how that employee is using their car and their behaviour then it impacts on their privacy and requires sign-off.
“There is huge value in gathering data, but that must be balanced against people having a right to privacy. Employers must put people’s rights at the forefront and show good governance and gain consent.”
Penalties for breaching the core “principles” of GDPR are potentially huge with a maximum fine for companies of €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is the higher. What’s more, while the financial cost of data breaches is potentially huge, the reputational damage of businesses misusing data or losing it should not be under estimated.